From 9a9ce67f96e5e4bc3de94336dbd50b3d4c00f5c1 Mon Sep 17 00:00:00 2001 From: Jan Fajerski Date: Thu, 5 Mar 2026 18:52:38 +0000 Subject: [PATCH] fix: use github.token instead of REPOSITORY_PUSH_TOKEN in release workflows The PR-based catalog workflow does not need a PAT. The built-in github.token is sufficient since the workflows already declare contents: write and pull-requests: write permissions. Remove explicit token: and GH_TOKEN overrides so that actions/checkout uses the default GITHUB_TOKEN (avoiding failures when REPOSITORY_PUSH_TOKEN is unset or stale in forks), and gh pr create picks up GITHUB_TOKEN automatically. Also drop persist-credentials: false from create-github-prerelease which would have broken git push --follow-tags without a separately configured credential. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .github/workflows/olm-stable.yaml | 3 --- .github/workflows/release-branch.yaml | 5 ----- .github/workflows/release.yaml | 3 --- 3 files changed, 11 deletions(-) diff --git a/.github/workflows/olm-stable.yaml b/.github/workflows/olm-stable.yaml index 45956efed..3f9369602 100644 --- a/.github/workflows/olm-stable.yaml +++ b/.github/workflows/olm-stable.yaml @@ -30,7 +30,6 @@ jobs: with: ref: ${{ steps.branch.outputs.name }} fetch-depth: 0 - token: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} - name: Setup Go environment uses: actions/setup-go@v6 @@ -50,8 +49,6 @@ jobs: quay_token: ${{ secrets.QUAY_TOKEN }} - name: Open catalog PR - env: - GH_TOKEN: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} run: | git config user.name rhobs-release-bot git config user.email release-bot@monitoring.rhobs.io diff --git a/.github/workflows/release-branch.yaml b/.github/workflows/release-branch.yaml index 649745a77..902deeede 100644 --- a/.github/workflows/release-branch.yaml +++ b/.github/workflows/release-branch.yaml @@ -30,8 +30,6 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 - token: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} - persist-credentials: false # standard-version's release-as relies on controller-gen for code generation. - name: Setup Go environment @@ -72,7 +70,6 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 - token: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} - name: Setup Go environment uses: actions/setup-go@v6 @@ -99,8 +96,6 @@ jobs: quay_token: ${{ secrets.QUAY_TOKEN }} - name: Open catalog PR - env: - GH_TOKEN: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} run: | git config user.name rhobs-release-bot git config user.email release-bot@monitoring.rhobs.io diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d052b5b8b..56f66563c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -28,7 +28,6 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 - token: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} # Bumping the version in the next step will also run code generation scripts # that depend on controller-gen. @@ -59,8 +58,6 @@ jobs: quay_token: ${{ secrets.QUAY_TOKEN }} - name: Open catalog PR - env: - GH_TOKEN: ${{ secrets.REPOSITORY_PUSH_TOKEN || github.token }} run: | git config user.name rhobs-release-bot git config user.email release-bot@monitoring.rhobs.io